In 2000 a co-worker brought an early Cisco VoIP phone into my office. He was tasked with doing a security review prior to a potential deployment in the company. His summation after five minutes with the docs, “It uses bootp and tftp to retrieve its operating image and unencrypted UDP to carry the audio stream.” We immediately thought of our CEO and CFO’s calls being recorded by anybody with access to the network infrastructure and ubiquitous bugging by patching the operating image. No way were we going to deploy the horrid little things.

"With voice communication comes social engineering"

In 2006 a few percent of homes have VoIP phones that are not much different from the one we looked at in 2000. And then there are many more software clients and the whole calling infrastructure exposed to the Internet. Moving voice services from proprietary telco protocols and infrastructure to public IP networks made phreaking synonymous with hacking. This is made obvious by the number of voice-service related presentation submission we received this year for Black Hat.

However, the security impacts of prevalent and cheap voice services over IP networks go far beyond device, protocol and server weaknesses. With voice communication comes social engineering, so this year we have presentations demonstrating VoIP phishing, voice analytics used to defend against social engineering attacks, and the more traditional exploitation of technology weaknesses. We hope the combination will be enlightening and get the security community thinking hard about the implications of widespread voice services over IP networks.

Defending Against Social Engineering with Voice Analytics. Is your voice your password? Or something more telling?

For some bizarre reason, I mapped "voice analytics" to "social engineering" when he started talking about contact centers picking up on competitive offers by word selectionthe whole "I have an offer from your competitor". We started freewheeling on what you could do with all that recorded voice data, including identifying attackers through voice analysis and then sharing that profile/voice print among a group of peerssay, you catch someone trying to scam your credit card company. While you've been burned today, you can alert your competitorswho are, in turn, being burned by some other crew. Swap the voice profiles and it's a win-win. He left muttering, "How can I make a profit off of this?"

Radical idea? Not really, we're talking about the same concept that NSA has been accused of Echelon; suck up all the voice, look for key words, ID voices. With the falling cost of hardware and a migration to VoIP, any medium-sized organization can do thissome already are.

We set out to write "Hacking Exposed VoIP" in part to combat this FUD, and also in order to help admins prioritize and defend against the most prevalent threats to VoIP today through real exploitation examples. This presentation is the byproduct of our research for the book. In it, we describe and demonstrate many real-world VoIP exploitation scenarios against SIP-based systems (Cisco, Avaya, Asterisk, etc.), while providing a sense of realism on which attacks are likely to emerge into the public domain.

SIP Stack Fingerprinting and Stack Difference Attacks VoIP Phreaking?

by Hendrik Scholz

Did we learn anything from blue boxing? Yes, it’s fun and we get free calls.

Does PSTN convergence ring any bells? The traditional PSTN network nowadays is IP enabled and SIP signaling allows us to place calls over the internet. Previously safe from direct attacks, call control, billing, and lawful interception became prime targets for attacks. My daily work makes me deal with SIP on the server side and having access to a huge playground of devices, I put them to the test. Work includes a open source SIP stack fingerprinting tool as well as targets and exploits to go with them.

People using VoIP usually only care about the obvious features, not the drawbacks that might show up on your phone bill. We need to weed out bugs before they become an administrator’s and user’s nightmare.

Phishing with Asterisk PBX

by Jay Schulman

I’m hesitant to teach someone how to do something illegal more effectively. As with all disclosure discussions, the more we open people’s eyes, the more they’ll be prepared to defend against it. At least that’s my hope.

So let’s show the next generation of phishing attempts. What do all banks say on their websites? “We’ll never ask you to enter your information; we’ll always ask you to call us.” Ok, so if I’m going to send out a phishing e-mail that encourages you to call me what do I need?

Let’s start with Asterisk, the open-source PBX platform. It can emulate a professional IVR platform perfectly. Next, I have to have an 800# to be taken seriously. IAX.cc advertises those for 3.9 cents per minute. Done.

Now I need a professional sounding person for my IVR. Pay someone? Nope. Let’s call a bank using Asterisk and record their IVR prompts into WAV files. It takes some time to find the right 800 numbers for the right voice prompts, but that’s the creative part. Put all of the pieces together using Asterisk at Home’s IVR menuing system and we have a professional sounding IVR platform.

Now I just need to get someone to call in and try it.

Enterprise Networks vs. Cisco Vulnerabilities

First, some context. I've been in security for 20 years and started my career as a kernel programmer. However, at Gartner, my job is to serve large enterprise clients (revenue $1B and up). It‚s fun to play both sides with technical knowledge and the big, strategic business context but let me be up front about one thing; I gave up my hands on technical skills long ago and now I talk for a living... read more

Advances In Anomaly Detection

While we would all love to see bug-free code in our critical applications, we must recognize the reality that we are a long way off from security nirvana. One pragmatic way to make it through until transcendence is to find ways to reliably identify unexpected behavior in our systems as it occurs, and automatically deploy counter-measures. Tzi-cker Chiueh and Stefano Zanero promise to push the state-of-the-art to new levels in the field of software anomaly detection. Their approaches are a bit different from each other, so we hope these presentations will give attendees a lot to chew on and compare/contrast. I really hope to see deployable systems based on the work of these two very bright gentlemen in the near future..... read more

The Black Page is always looking for concise and interesting comments from researchers and experts about issues that affect
the security community. Contact us here to learn more about submission rules